ASSESSMENT: Threat Intelligence and Credit Card Fraud

TARGET:

With the escape of card data and personal data from Target over the holiday season we have seen an uptick in stories about the underworld of carding. Of course Target is just one large company that has been hit with such attacks albeit this time this one hit scored over 70 million cards and their attendant PII data. As the fallout continues to get reported on the attack itself, Brian Krebs has been reporting on those behind the scenes offering up the “dumps” for the criminally inclined to buy cards and data in order to create new lines of credit or spend the ones that have been stolen. As time has worn on though, and as Target starts to release details of just how inadequate their security was on their systems that allowed this attack to happen from external access to their intranet one thing has become clear; Credit crime is not abating and the banks and credit companies are either powerless or don’t care to find ways to stop the hacks and dumps from happening in the first place. Target specifically in this instance has done a terrible job of responding to the incident with clients and the street and now that details are coming out about their internal security issues, they no doubt will be hiring PR firms by the dozen to spin a tale that this was impossible to have stopped.

CARDERS:

In reality the carders live a fairly open existence on the internet in PHP bulletin boards much like the jihadi’s do. Their OPSEC is lacking as Krebs can attest and in some cases really don’t care because they live or work in countries where the laws are not as robust and they don’t really fear prosecution. After having been on their sites and looked at caches as well as live data I can say that the OSINT that Krebs culls is not that hard to perform and that more people should be doing the same thing in order to interdict possible attacks in the future. I would assume that there are personnel tasked to do this from say Treasury or USSS but inasmuch as all of this came as such a surprise and that Krebs broke the story before anyone else says a lot about the lack of eyeballs on these forums. These guys are living large and often are not that old to begin with. We aren’t talking about old KGB guys now lurking the net and stealing credit card data to support their plans of world domination. What we are talking about are kids who play Xbox and have a revenue stream that is often times pretty robust allowing them to do pretty much whatever they want. Of course I suspect that there are ties to Mafiosi of the Russian variety (this case) as well as in other quarters because hey, this is just another piece of action right? What still amazes though is the naked operations that these guys carry out day to day that don’t even require much else than an ICQ connection and an email address that can be thrown away.

RESCATOR:

In the case of Rescator though, we have a kind of a “Senatus” as they like to call him on the sites who seems to have been at this for some time and has amassed an infrastructure to allow for the sale of not only stolen credit card data but also flooding services and other offerings. In the case of the latest Target affair, Senatus Rescator is most definitely at the forefront of the whole thing. He and others like Flavius are in charge of about 10 or so sites that are transitory at times and all bulletin boards pretty much explicitly for the trade of credit card data. Now, as to whether or not Rescator was the main operator behind this hack on target and others is a question that I cannot answer at the present time. I will say though that the conglomerate including those like Flavius and Rescator may in fact form the cabal that ordered up the hack and ex-filtration or perhaps just benefited from the dumps that came to them from the hackers. I lean towards though the idea that Rescator and Flavius and others were likely the ones who put this all together, purchased the malware, and got the hired hands to pull it off if not doing some of the work themselves. That Krebs and others have actually tracked Rescator to a single name and have his personal details shows the lack of OPSEC there and one hopes that sometime in the near future he will get a knock at the door from Interpol and the USSS/FBI but that remains to be seen.

The sites that Rescator and friends have set up are an arcology on the internet for underground (almost) carding forums. As at the top of the page (see maltego map) you can see that they all can be connected together either by registration data or links to one another to and from their domains. One interesting bit is the fact that a couple of the sites were registered our of the Seychelles by “Jeremiah Heisenberg” which has a checkered past with sites ranging from online poker for bitcoins to outright scams including takedown notices from MPAA. It seems that perhaps the nearest thing to a real financial entity that can be found in the intelligence gathering I did today was this company (likely a shell company) that could be a means to an end in laundering funds and cleaning them. As to whether or not Rescator and the others are a part in this or are just the mules (so to speak) is the question I still have and it will take more looking to see. In the end though this constellation of sites and their spidering out to many many others both on and off of the darkweb is the primary means for volume trafficking in stolen credit data and PII as well as bank accounts and access to financial institutions. In other words, a real and credible threat.

THREAT INTELLIGENCE AND ANALYSIS:

I have been looking into these sites and the players for a little while now and I have to say that with the lack of OPSEC I would think they would be easy targets for takedown. What has been bothering me now since I started this Odyssey is that companies like Target as well as the banks out there lack any true intelligence gathering apparatus to actually monitor these sites and get insight into what is happening. Ok, I know this may sound a little out there to some and that I am asking for companies and banks specifically to have working intelligence apparatus but really, isn’t that the only real way to have a fighting chance here? Had the banks or some firms out there been doing what Krebs has been doing perhaps this attack would have been at least prepared for a little bit if not stopped due to intelligence gathering from these fairly open sites? My analysis that stemmed from about a day’s worth of looking backstops Krebs data and even goes further and really, I did not put all that much time into it. Imagine what could be done with the proper analysis and heads up on such POS malware as was plainly for sale and talked about in these forums?

It will be some time until the Target kerfuffles dust has settled but I would like to advocate more HUMINT and OSINT like Krebs has been doing by analysts either selling this as a service or perhaps in house operations that at the very least can spend some time Googling or using Maltego to determine just what is happening out there in these not nearly opaque bulletin boards. As I write this though I am wondering whether or not the simplest answer here is that the banks just don’t care because in the end the costs will circle back to the clients in the form of fee’s. This reasoning serves the cognitive dissonance within the financial sector that says it’s not their fault, it’s not your fault, but hell there is nothing we can do about it. I should think that more proactive approaches to anti-fraud methodologies might be better but who knows what they are thinking. Overall this kind of crime will continue both big and small because the companies make it easy for the criminals to hack them (bad passwords and processes etc) as well as the lackadaisical leze fair attitude on the part of the credit corporations and banks persist. The real loser though will be the client who has to deal with bad credit through identity theft, loss of funds that may or may not be guaranteed, and generally being the product for sale by these miscreants.

I think the reality is that this type of work is still too advanced for most companies to stomach. Target was in the process of downsizing their security program, so they obviously weren’t about to stand up some new intel arm. Companies that do perform some of this work for their clients are extremely expensive, and the source and techniques of acquiring the information (even at a high level) are not communicated. And finally, any boutique firm that is looking to offer this as a service (which would be both fun and potentially effective for the clients) is going to face the problem of looking like an extortionist during the sales pitch.